957160 – (CVE-2015-0860) VUL-1: CVE-2015-0860: dpkg: stack overflows and out of bounds read

Bug 957160 (CVE-2015-0860) - VUL-1: CVE-2015-0860: dpkg: stack overflows and out of bounds read

Summary: VUL-1: CVE-2015-0860: dpkg: stack overflows and out of bounds read

Status:	RESOLVED FIXED

Alias:	CVE-2015-0860

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/159179/
Whiteboard:	CVSSv2:RedHat:CVE-2015-0860:4.4:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-11-30 13:49 UTC by Alexander Bergmann
Modified:	2017-06-15 21:27 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2015-11-30 13:49:54 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1286011

Debian fixed the following flaw in dpkg:

Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format.

Additional information:

https://lists.debian.org/debian-security-announce/2015/msg00312.html
http://seclists.org/oss-sec/2015/q4/389\

CVE-2015-0860 was assigned to this issue.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1286011
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0860
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0860.html
http://www.debian.org/security/2015/dsa-3407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0860

Comment 1 Tomáš Chvátal 2015-11-30 14:49:13 UTC

For SLE we do not distribute but can update to 1.16.16 from the .10 to be covered in leap.

On Factory there is no fixed version from 1.18 series so far from what i can see.

Comment 2 Swamp Workflow Management 2015-11-30 23:01:27 UTC

bugbot adjusting priority

Comment 3 Alexander Bergmann 2015-12-01 07:14:45 UTC

The dpkg package is part of the SUSE Linux Enterprise Build System Kit 12.

Comment 4 Petr Gajdos 2017-04-05 11:09:29 UTC

https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0

Comment 5 Petr Gajdos 2017-04-05 11:10:31 UTC

There are two additional commits referenced in readhat bug, perhaps we can include them too.

Comment 6 Petr Gajdos 2017-04-05 11:56:46 UTC

Affected: 12sp1/dpkg

Tumbleweed and 12sp2 has the fix already in.

Comment 7 Petr Gajdos 2017-04-05 12:08:33 UTC

Package submitted.

Comment 9 Swamp Workflow Management 2017-04-24 16:09:58 UTC

SUSE-SU-2017:1096-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 957160
CVE References: CVE-2015-0860
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    update-alternatives-1.16.10-12.6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    update-alternatives-1.16.10-12.6.1

Comment 10 Swamp Workflow Management 2017-05-08 16:17:03 UTC

openSUSE-SU-2017:1205-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 957160
CVE References: CVE-2015-0860
Sources used:
openSUSE Leap 42.1 (src):    dpkg-1.16.10-14.1, update-alternatives-1.16.10-14.1

Comment 11 Marcus Meissner 2017-06-15 21:27:36 UTC

released